b'                        u.s. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                 AUDITING DIVISION\n\n\n\n                                                                AUDIT REPORT\n                                                       Issue Date: November 15, 2007\n\n                                                       Number: 8-03\n\nTo:            Steven C. Preston\n               Administrator\n\n              Jennifer Main\n              Chief Financial Officer\n\nFrom:          Debra Ritt. [Exemption 6]\n               Assistant Inspector General for Auditing\n\nSUbject:       Audit ofSBA\'s FY 2007 Financial Statements\n\n\n        Pursuant to the Chief Financial Officer\'s Act of 1990, attached are the Independent\nAuditors\' Report and accompanying reports on internal control and compliance with laws\nand regulations issued by KPMG LLP for the fiscal year ending September 30, 2007. The\naudit was performed under a contract with the Office of Inspector General (OIG) and in\naccordance with Generally Accepted Government Auditing Standards; Office of\nManagement and Budget\'s (OMB) Bulletin 07-04, Audit Requirements for Federal\nFinancial Statements, the Government Accountability Office (GAO)lPresident\'s Council on\nIntegrity and Efficiency (pCIE) Financial Audit Manual and GAO\'s Federal Information\nSystem Controls Audit Manual.\n\n         The KPMG report concluded that SBA\'s consolidated financial statements presented\nfairly, in all material respects, the financial position of SBA as of and for the years ended\nSeptember 30, 2007 and 2006. It also presented fairly, in all material respects, SBA\'s net\ncosts, changes in net position, and combined statements of budgetary resources for the years\nthen ended.\n\n        With respect to internal control over financial reporting, KPMG reported a\nsignificant deficiency related to Information Technology security controls, but did not\nconsider this deficiency to be a material weakness. Details regarding this significant\ndeficiency are discussed more in Exhibit 1 of the Independent Auditors\' Report.\n\x0c       KPMG\'s test for compliance with certain laws, regulations, contracts and grant\nagreements determined that the Agency does not fully comply with the Debt Collection\nImprovement Act (DCIA) of 1996 because SBA does not consistently follow Treasury\nguidelines when referring delinquent debts for collection. Details regarding the auditor\'s\nconclusion are included in the Compliance and Other Matters section of the Independent\nAuditor\'s Report. The auditors did not report any other instances or matters regarding\nnoncompliance.\n\n        We provided a draft ofKPMG\'s report to SBA\'s Chief Financial Officer (CFO),\nwho concurred with its findings and recommendations and agreed to implement the\nrecommendations. The CFO is pleased that SBA has received an unqualified audit opinion\nwith no reported material wealcnesses and believes these results accurately reflect the quality\nof the Agency\'s financial statements and its imprOVed accounting, budgeting and reporting\nprocesses. The CFO also acknowledged that SBA was not in compliance with the DCIA,\nand outlined Agency plans to improve standard operating procedures.\n\n       We reviewed a copy ofKPMG\'s report and related documentation and made\nnecessary inquiries of their respective representatives. Our review was not intended to\nenable us to express, and we do not express, an opinion on the SBA\'s financial statements,\nKPMG\'s conclusions about the effectiveness ofintemal control, or its conclusions about\nSBA\'s compliance with laws and regulations. However, our review disclosed no instances\nwhere KPMG did not comply, in all material respects, with Generally Accepted Government\nAuditing Standards.\n\n       We appreciate the cooperation and assistance ofSBA and KPMG. Should you or\nyour staffhave any questions, please contact me at    [Exemp 2] or Jeffrey R. Brindle,\nDirector, Information Technology and Financial Management Group at (202) 205-\' [Exemption         2]\n\n\nAttachments\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\n\n                                     Independent Auditors\' Report\n\nOffice of Inspector General\nU.S. Small Business Administration:\n\nWe have audited the accompanying consolidated balance sheets of the U.S. Small Business\nAdministration (SBA) as of September 30, 2007 and 2006, and the related consolidated\nstatements of net cost, changes in net position, and combined statements of budgetary resources\n(hereinafter referred to as "consolidated financial statements") for the years then ended. The\nobjective of our audits was to express an opinion on the fair presentation of these consolidated\nfinancial statements. In connection with our fiscal year 2007 audit, we also considered SBA \' s\ninternal controls over financial reporting and tested SBA\' s compliance with certain provisions of\napplicable laws, regulations, contracts, and grant agreements that could have a direct and material\neffect on these consolidated financial statements.\n\nSUMMARY\n\nAs stated in our opinion on the consolidated financial statements, we concluded that SBA\'s\nconsolidated financial statements as of and for the years ended September 30, 2007 and 2006, are\npresented fairly, in aU material respects, in conformity with U.S. generally accepted accounting\nprinciples.\n\nAs discussed in Note 16 to the consolidated financial statements, SBA changed its method of\nreporting the reconciliation of budgetary resources obligated to the net cost of operations in fiscal\nyear 2007.\n\nOur consideration of internal control over financial reporting resulted in the following condition\nbeing identified as a significant deficiency:\n\n\xe2\x80\xa2   Improvement needed in management\' s information technology security controls.\n\nHowever, we did not consider this significant deficiency to be a material weakness.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and\ngrant agreements disclosed one instance of noncompliance with the following law that is required\nto be reported under Government Auditing Standards, issued by the Comptroller General of the\nUnited States, and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements f or Federal Financial Statements:\n\n\xe2\x80\xa2   Debt Collection Improvement Act of 1996 (DClA)\n\nThe following sections discuss our opinion on SBA\' s consolidated financial statements; our\nconsideration of SBA\' s internal control over financial reporting; our tests of SBA\'s compliance\nwith certain provisions of applicable laws, regulations, contracts, and grant agreements; and\nmanagement\'s and our responsibilities.\n\n\n\n\n                                \'::\'MS 1.._ ~         ~   ..I   ~ \'1f"\'::!C C\'   ?,,::r \'i ~ ~-.,~"";;:"I:::\' : t-\xc2\xb7t :.: :S\n                                ,.   e.":!.~   ~;,.       )f   \\-.r\'\xc2\xb7 K:"   ",\'\xc2\xb0 1 ,1 I"!I:I\' -~, - ::.it.::..",\', I \'::\n\x0cOPThTJON ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheets of SBA as of September 30,\n2007 and 2006, and the related consolidated statements of net cost, changes in net position, and\nthe combined statements of budgetary resources for the years then ended.\n\nIn our opinion, the consolidated fmancial statements referred to above present fairly , in all\nmaterial respects, the fmancial position of SBA as of September 30, 2007 and 2006, and its net\ncosts, changes in net position, and budgetary resources for the years then ended in conformity\nwith U.S. generally accepted accounting principles.\n\nAs discussed in Note 16 to the consolidated financial statements, SBA changed its method of\nreporting the reconciliation of budgetary resources obligated to the net cost of operations in fiscal\nyear 2007.\n\nThe information in the Management Discussion and Analysis, Required Supplementary\nStewardship Information, and Required Supplementary Information sections is not a required part\nof the consolidated financial statements, but is supplementary information required by U.S.\ngenerally accepted accounting principles and OMB Circular No. A-136, Financial Reporting\nRequirements. We have applied certain limited procedures, which consisted principally of\ninquiries of management regarding the methods of measurement and presentation of this\ninformation. However, we did not audit this information, and accordingly, we express no opinion\non it.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nOur consideration of the internal control over fmancial reporting was for the limited purpose\ndescribed in the Responsibilities section of this report and would not necessarily disclose all\ndeficiencies in the internal control over financial reporting that might be significant deficiencies\nor material weaknesses.\n\nA control deficiency exists when the design or operation of a control does not allow management\nor employees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination\nof control deficiencies, that adversely affects SBA\' s ability to initiate, authorize, record, process,\nor report financial data reliably in accordance with U.S. generally accepted accounting principles\nsuch that there is more than a remote likelihood that a misstatement of SBA \' s consolidated\nfinancial statements that is more than inconsequential will not be prevented or detected by SBA\' s\ninternal control over financial reporting. A material weakness is a significant deficiency, or\ncombination of significant deficiencies, that results in more than a remote likelihood that a\nmaterial misstatement of the financial statements will not be prevented or detected by SBA\' s\ninternal control.\n\nIn our fiscal year 2007 audit, we consider the deficiency described in Exhibit I to be a significant\ndeficiency in internal control over fmancial reporting, and we believe that the significant\ndeficiency described in Exhibit I is not a material weakness. Summaries of the status of the prior\nyear material weakness and reportable conditions, and management\'s response to our fmdings are\nincluded as Exhibits III, IV, and V, respectively.\n\nWe also noted certain additional matters that we reported to SBA \' s management in a separate\nletter dated November 14, 2007.\n\n\n                                                  2\n\x0cCOMPLIANCE AND OTHER MATTERS\n\nOur tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements, as described in the Responsibilities section of this report, exclusive of those referred\nto in the Federal Financial Management Improvement Act oj 1996 (FFMIA), disclosed one\ninstance of noncompliance that is required to be reported herein under Government Auditing\nStandards or OMB Bulletin No. 07-04, and is described below.\n\nDebt Collection Improvement Act of 1996 (DCIA). During our testwork, we noted that SBA\ndid not consistently follow Treasury guidelines when referring delinquent debts for collection.\nSpecifically, we noted that 47 of 140 delinquent debt referral transactions tested were not referred\ntimely or were coded improperly in SBA \' s Loan Accounting System . Of the 47 exceptions noted,\n41 of the items were referred only to the Treasury Offset Program (TOP), when the DCIA\nrequirement is to refer delinquent debts to both the TOP and the Treasury Servicing Program. As\na result, management did not refer approximately 24,000 delinquent debts for Treasury cross\xc2\xad\nservicing. SBA management believes that the issue stems from outdated standard operating\nprocedures and a lack of clear instructions to field offices regarding the referral of delinquent debt\nto Treasury. SBA management stated it has established revised protocols that will provide clear\ninstructions to field offices to use in the future regarding how to properly refer charge-offs to the\nTOP and Treasury Servicing program in accordance with DCIA. In regards to the remaining 6\nitems noted as exceptions above, the referral to Treasury for servicing did not occur within 180\ndays of delinquency as required by DCIA. According to SBA management, efforts are under way\nto address this situation.\n\nThe results of our tests of compliance as described in the Responsibilities section of this report,\nexclusive of those referred to in FFMIA, disclosed no other instances of noncompliance or other\nmatters that are required to be reported herein under Government Auditing Standards or OMB\nBulletin No. 07-04.\n\nThe results of our tests of FFMIA disclosed no instances in which SBA \' s financial management\nsystems did not substantially comply with the three requirements discussed in the Responsibilities\nsection of this report.\n\n                                             *****\nRESPONSmILITIES\n\nManagement\'s Responsibilities. The United States Code Title 31 Section 3515 and 9106 require\nagencies to report annually to Congress on their financial status and any other information needed\nto fairly present their fmancial position and results of operations. To meet these reporting\nrequirements, SBA prepares and submits financial statements in accordance with OMB Circular\nNo. A-136 .\n\nManagement is responsible for the consolidated financial statements, including:\n\n\xe2\x80\xa2 \t Preparing the consolidated fmancial statements in conformity with U.S. generally accepted\n    accounting principles\n\n\xe2\x80\xa2 \t Preparing the Management Discussion and Analysis (including the performance measures),\n    Required Supplementary Information, and Required Supplementary Stewardship Information\n\n\n\n                                                  3\n\x0c\xe2\x80\xa2 \t Establishing and maintaining effective internal control\n\n\xe2\x80\xa2 \t Complying with laws, regulations, contracts, and grant agreements applicable to SBA,\n    including FFMlA.\n\nIn fulfilling this responsibility, management is required to make estimates and judgments to\nassess the expected benefits and related costs of internal control policies.\n\nAuditors\' Responsibilities. Our responsibility is to express an opinion on the fiscal year 2007\nand 2006 consolidated financial statements of SBA based on our audits. We conducted our audits\nin accordance with auditing standards generally accepted in the United States of America; the\nstandards applicable to financial audits contained in Government Auditing Standards, issued by\nthe Comptroller General of the United States; and OMB Bulletin No. 07-04 . Those standards and\nOMB Bulletin No. 07-04 require that we plan and perform the audits to obtain reasonable\nassurance about whether the consolidated fmancial statements are free of material misstatement.\nAn audit includes consideration of internal control over financial reporting as a basis for\ndesigning audit procedures that are appropriate in the circumstances, but not for the purpose of\nexpressing an opinion on the effectiveness of SBA \' s internal control over financial reporting.\nAccordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2 \t Examining, on a test basis, evidence supporting the amounts and disclosures in the\n    consolidated fmancial statements\n\n\xe2\x80\xa2 \t Assessing the accounting principles used and significant estimates made by management\n\n\xe2\x80\xa2 \t Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn plarming and performing our fiscal year 2007 audit, we considered SBA\' s internal control over\nfinancial reporting by obtaining an understanding of the SBA\'s internal control , determining\nwhether internal controls had been placed in operation, assessing control risk, and performing\ntests of controls as a basis for designing our auditing procedures for the purpose of expressing our\nopinion on the consolidated financial statements. We limited our internal control testing to those\ncontrols necessary to achieve the objectives described in Government Auditing Standards and\nOMB Bulletin No. 07-04. We did not test all internal controls relevant to operating objectives as\nbroadly defined by the Federal Managers \' Financial Integrity Act of 1982. The objective of our\naudit was not to express an opinion on the effectiveness of SBA \'s internal control over financial\nreporting. Accordingly, we do not express an opinion on the effectiveness of the SBA\' s internal\ncontrol over financial reporting.\n\nAs part of obtaining reasonable assurance about whether SBA \'s fiscal year 2007 consolidated\nfinancial statements are free of material misstatement, we performed tests of SBA\' s compliance\nwith certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with\nwhich could have a direct and material effect on the determination of SBA financial statement\namounts, and certain provisions of other laws and regulations specified in OMB Bulletin No. 07\xc2\xad\n04, including certain provisions referred to in FFMIA. We limited our tests of compliance to the\nprovisions described in the preceding sentence, and we did not test compliance with all laws,\n\n\n\n                                                  4\n\x0cregulations, contracts, and grant agreements applicable to SBA. However, providing an opinion\non compliance with laws, regulations, contracts, and grant agreements was not an objective of our\naudit, and accordingly, we do not express such an opinion.\n\nUnder OMB Bulletin No. 07-04 and FFMIA, we are required to report whether SBA \' s financial\nmanagement systems substantially comply with (1) Federal financial management systems\nrequirements, (2) applicable Federal accounting standards, and (3) the Uruted States Government\nStandard General Ledger at the transaction level. To meet this requirement, we performed tests of\ncompliance with FFMlA Section 803(a) requirements.\n\n\n\nSBA\'s response to the findings identified in our audit report is presented in Exhibit V. We did not\naudit SBA \' s response, and accordingly, we express no opiruon on it.\n\nThis report is intended solely for the information and use ofSBA\'s management, SBA\'s Office of\nInspector General, OMB, the U.S. Government Accountability Office, and the U.S . Congress, and\nis not intended to be, and should not be, used by anyone other than these specified parties.\n\n\n\n\nNovember 14,2007\n\n\n\n\n                                                5\n\x0c                                                                                                       Exhibit I\n                                      U.S. Small Business Administration \n\n                                             Significant Deficiency \n\n\n\n\nIntroduction\nThe internal control deficiency discussed in this report and the U.S. Small Business Admirustration\'s (SBA)\nprogress toward correcting it are discussed in the context of SBA\' s orgaruzational structure and its ability to\nobtain funding to take corrective action. Exhibit I herein describes the control deficiencies, which collectively\nresulted in the significant deficiency reported below, for the year ended September 30, 2007, and our\nrecommendations thereon. The status of prior year compliance and internal control deficiencies are reported in\nExhibits II, III, and IV, respectively, and SBA management\'s response is presented in Exhibit V.\n\n(1) Improvement Needed in Management In/ormation Technology Security Controls\n\nDuring fiscal year 2007, we noted that SBA made progress in several areas in its efforts to address prior year\nInformation Technology (IT) internal control deficiencies. Despite these improvements, deficiencies continue to\nexist in the areas of security access controls, software program changes, and end user computing.\nSecurity Access Controls\n\nIntegral to an organization\'s security program management efforts, technical security access controls for systems\nand applications should provide reasonable assurance that IT resources such as data files, application programs,\nand IT-related facilities/equipment are protected against unauthorized modification, disclosure, loss, or\nimpairment.\n\nA summary of the security access control deficiencies we identified during the fiscal year 2007 SBA financial\naudit follow:\n\xe2\x80\xa2 \t There are no procedures documented for the sanctions process against the personnel not compliant with\n    existing SBA security policies.\n\n\xe2\x80\xa2 \t The Office of the ChiefInformation Officer personnel/management (collectively referred to herein as OCIO)\n    does not maintain enough storage capacity for the server audit logs.\n\n\xe2\x80\xa2 \t OCIO does not retain the logs long enough to allow for a sufficient review.\n\n\xe2\x80\xa2 \t OCIO does not have formal day-to-day operating procedures documented for data center employees, which\n    include segregation of critical functions.\n\n\n\n\n                                                       1-1 \n\n\x0c                                                                                                          Exhibit I\n                                      u.s. Small Business Administration\n                                              Signjficant Deficiency\n\n\n\nRecommendations - security access controls:\n\n      We recommend that:\n\n      1. \t OCIO implement a formal sanctioning policy for those personnel and contractors who do not complete\n           the required annual computer security training program.\n\n      2. \t OCIO allocate a larger storage space for audit logs.\n\n      3. \t OCIO retain audit logs for longer periods (at least a week) to enable sufficient management review.\n\n      4. \t OCIO develop and implement specific policies and procedures outlining the day-to-day actions\n           performed by data center employees.\n\nSoftware Program Changes\nThe primary focus of an organization\' s software change/configuration management program is on controlling the\nsoftware changes made to systems and applications in operation. Without such controls, there is a risk that\nsecurity features could be inadvertently or deliberately omitted or turned off, or that processing irregularities or\nmalicious code could be introduced into the IT environment.\n\nA summary of the software program change control deficiencies we identified during the fiscal year 2007 SBA\nfinancial audit follow:\n\xe2\x80\xa2 \t The configuration baselines for the Disaster Credit Management System (DCMS) have not been updated\n    with information from the last change to system settings.\n\n\xe2\x80\xa2 \t The configuration baselines for the LAS do not contain a date indicating when it was last updated.\n\nRecommendations -\t software program changes:\n\n      We recommend that:\n\n      5. \t OCJO inform application service providers of policies and procedures for regularly updating DCMS\n           configuration baselines and dates for major applications and general support systems.\n\n      6. \t OCIO create policies that mandate documentation of all noncompliance with established SBA LAS\n           configuration benchmarks and require management approval.\n\n\n\n\n                                                        1-2 \n\n\x0c                                                                                                      Exhibit I\n                                     u.s. Small Business Administration\n                                            Significant Deficiency\n\n\n\nEnd User Computing\nEnd user computing tools/programs (e.g., spreadsheets and other user-developed programs) present the need for a\nunique set of general control needs within an organization. By its nature, end user computing brings the\ndevelopment and processing of information systems closer to the user. While this environment may not typically\nbe subjected to the same level of rigor and structure as an IT general controls environment, we believe policies\nand procedures in this area are important to the overall IT environment. During our review, we noted that the\nOffice of the Chief Operating Officer (COO) has not documented policies and program offices have not\ndocumented procedures for end user computing, specifically enforcing access controls over critical end user\nprograms.\n\nRecommendations - end user computing:\n\n      We recommend that:\n\n      7. \t COO develop and implement policies for end user computing, specifically enforcing user-level access\n           controls over existing programs and data objects.\n\n      8. \t All program offices identify critical end user programs and develop end user computing procedures in\n           accordance with end user policies.\n\n\n\n\n                                                      1-3\n\x0c                                                                                                            Exhibit IT\n                                       u.s. Small Business Administration\n                                       Status of Prior Year Noncompliance\n\n\n\nFiscal Year 2006 Noncompliance                                   Fiscal Year 2007 Status of Noncompliance\nFederal Financial Management Improvement Act                     The results of our tests of compliance with FFMlA in\nof 1996 (FFMIA) - FFMlA requires Federal agencies                fiscal year 2007 disclosed no instances in which SBA\nto be in substantial compliance with the criteria listed         is in substantial noncompliance with FFMlA.\nbelow:\n\n\xe2\x80\xa2   Federal financial management systems\n    requirements\n\n\xe2\x80\xa2   Federal accounting standards\n\n\xe2\x80\xa2   U.S. Standard General Ledger (USSGL) at the\n    transaction level\n\nDuring fiscal year 2006, our tests indicated instances in\nwhich SBA\'s information systems did not substantially\ncomply with the first criteria listed above regarding\nFederal financial management systems requirements.\n\n\n\n\n                                                           2-1\n\x0c                                                                                                             Exhibit ill\n                                      U.S. Small Business Administration\n                                     Status of Prior Year Material Weakness\n\n\n\nFiscal Year 2006 Finding                                    Fiscal Year 2007 Status of Finding\n\nDuring fiscal year 2006, we reported a material             During fiscal year 2007, SBA made significant\nweakness in internal control related to SBA\'s financial     operational improvements over the controls centered\nreporting process.                                          on funds management, fmancial accounting, and\n                                                            account balance reviews. Additionally, SBA enhanced\n                                                            its procedures to identify areas of risk in its financial\n                                                            systems and reporting processes to better assess\n                                                            whether fmancial information is adequately reported in\n                                                            the fmancial statements and note disclosures.\n\n                                                                Therefore, in fiscal year 2007, this matter was closed.\n\n\n\n\n                                                          3-1\n\x0c                                                                                                                 Exhibit IV\n                                         U.S. Small Business Administration\n                                       Status of Prior Year Reportable Conditions\n\n\n\nFiscal Year 2006 Findings)                                      Fiscal Year 2007 Status of Findings\n\n1.   Improvement needed over budgetary controls                 During fiscal year 2007, SBA made significant, overall\n     surrounding obligations                                    operational improvements over budgetary controls\n                                                                centered on travel vouchers and undelivered orders,\n                                                                financial accounting, and account balance reviews. In\n                                                                addition, our testwork did not identify any significant\n                                                                misstatements in the amounts reported.\n\n                                                                Therefore, this matter was closed in fiscal year 2007.\n\n2.   Improvement needed in management information               During our review of SBA\' s information technology\n     technology security controls                               (In general and application controls, we noted\n                                                                improvements in formalizing policies and procedures\n                                                                over granting users emergency access, formalizing\n                                                                continuity of operations plan (COOP), and\n                                                                documenting reviews of remote users. However, we\n                                                                continued to identify opportunities for SBA to improve\n                                                                its internal controls. The control deficiencies that\n                                                                continue to exist are in the following areas: security\n                                                                access controls, software program changes, and end\n                                                                user computing.\n\n                                                                Therefore, in fiscal year 2007, the presentation of the\n                                                                issue was modified to reflect current year operations,\n                                                                and we continue to report a significant deficiency in\n                                                                internal controls as it relates to IT systems and their\n                                                                impact on the consolidated financial statements. See\n                                                                Exhibit I for additional information.\n\n\n\n\nI Effective for periods ending on or after December 15,2006, Statement of Auditing Standards (SAS) No. 112 replaces SAS\n  o. 60 and establishes new criteria for evaluating internal control deficiencies. Under SAS No. 60, the auditor must evaluate\nidentified control deficiencies and determine whether those deficiencies, individually or in combination, are significant\ndeficiencies or material weaknesses. Further, the auditor must communicate, in writing, significant deficiencies and material\nweaknesses (including those identified in prior audits but not yet remediated) to management and those charged with\ngovernance.\n\n\n                                                             4-1\n\x0c                                                                                      Exhibit V\n                      U.S. Si\\lALL nUS li\\ ESS AD:\\l1:-\\!STIU TIO.\'i \n\n                                W:\\S lIl:\\ GTO:\\ , D.C.   ~O.j I (j \n\n\n\n\n\nCFO Response to Draft Audit Report on FY 2007 Financial Statements\n\n\nDATE:         November 14, 2007\n\nTO:            Debra Ritt, Assistant 10 for Auditing\n\nFROM:         Jennifer Mmef Financial Officer\n\nSUBJECT:      Draft Audit Report on FY 2007 Financial Statements\n\nThe Small Business Administration is in receipt of the draft Independent Public\nAccountant report from KPMO that includes the auditor\'s opinion on the financial\nstatements and review of the Agency\'s internal control over financial reporting and\ncompliance with laws and regulations. The IPA audit of the Agency\'s financial\nstatements and related processes is a core component of SBA\'s financial management\nprogram.\n\nWe are very pleased that the SBA has received an unqualified audit opinion from the\nindependent auditor with no reported material weaknesses. We believe these results\naccurately reflect the quality of the Agency\'s financial statements and our improved\naccounting, budgeting and reporting processes. As you know, the SBA has worked hard\nover the past several years to address the many findings from our independent auditors.\nOur core fmancial reporting data and processes have improved substantially and we are\nproud that the results of our efforts have been confirmed by the independent auditor.\n\nThe IP A\'s report includes a finding that during the year the Office of Capital Access was\nnot in compliance with the Debt Collection Improvement Act, which requires agencies to\nrefer outstanding receivables that are delinquent over 180 days to Treasury for cross\xc2\xad\nservicing. The OCA was referring loans for Trea")ury offset, but through a loan system\ncoding error one of SBA\'s servicing offices was not referring the same loans for cross\xc2\xad\nservicing. Out of date instructions to SBA\'s loan servicing offices and an incomplete\nstandard operating procedure on loan servicing contributed to the servicing office\'s\nmisunderstanding of the proper procedure for recording charged off loans.\n\nUpon discovering this Treasury referral issue, SBA portfolio management officials\nworked with the OCIO to immediately refer the backlog of 24,000 loans for $1 .3 billion.\nThis referral action was completed by July 15,2007. A mitigation plan is in place to\nensure that this error does not occur in the future. In addition, the SBA reminded all\nservicing centers of the procedures for processing charge-off actions, including Treasury\n\x0c                                                                                        Exhibit V\n\nreferrals, that have been in effect since August 26, 1999. This reminder was provided to\nall servicing offices by August 30, 2007.\n\nSBA\'s portfolio management office currently has a project underway to revise the SOP\non loan liquidation to address more completely the Treasury referral procedures for\ncharged off loans. This project is due for completion by December 12, 2007. As a\nfollow up to this action SBA\'s portfolio management office is monitoring samples of\nmonthly charged off loans to ensure that the loans have been correctly classified for\nTreasury referral. As a final step, the portfolio management officials will follow up with\nany servicing center that has incorrectly classified charged off loans for Treasury referral.\n\nWe appreciate all of your efforts and those of your colleagues in the Office of the\nInspector General as well as those ofKPMG. The independent audit process continues to\nprovide us with new insights and valuable recommendations that will further enhance\nSBA\'s financial management practices. We continue to be committed to excellence in\nfinancial management and look forward to making more progress in the coming year.\n\x0c'